MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee995310cec67c9269847de4fc0964a05f9659adf24ca560419665ca6d4a428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 13 File information Comments

SHA256 hash:	3ee995310cec67c9269847de4fc0964a05f9659adf24ca560419665ca6d4a428
SHA3-384 hash:	d075bdb04b628263987a8a072661e0a21719c05d5dbbfc155ecd9fdab741458f488f1206becb9deb8dc8248d3f3ac88d
SHA1 hash:	b1f92b8e91940a736be8a1908b9ed7ccc8912178
MD5 hash:	e76372dfcf0db7e66038f949968d0706
humanhash:	eleven-lactose-indigo-tango
File name:	ProofOfPayment.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	544'768 bytes
First seen:	2022-07-25 13:36:28 UTC
Last seen:	2022-07-25 17:06:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ejz67v300arsCdUwDeS60BNpRekBeZh2roPoVx8:17vE0usCdISDBNzZBBVx
TLSH	T12DC412153A7ADB64E67E8FFC902112006BF4B29E3302E7BA8ED7B4D67445B6046409F7
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
185.140.53.154:3343

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.140.53.154:3343	https://threatfox.abuse.ch/ioc/839443/

Intelligence

File Origin

# of uploads :

# of downloads :

397

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/294038/

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.23605.21109.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/62de9d08ef4d15d9c0306ac3/reports/fa280c49-ca72-47f2-b183-5cda8b0853df/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73019d7e-7952-4233-b57c-fe4d71da1d28

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1040451

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ee995310cec67c9269847de4fc0964a05f9659adf24ca560419665ca6d4a428/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2022-07-25 13:37:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h3uzkmim5rt4sjuyi7pe7qewjic7szm234smuvqedftfzjwuuqua._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220725-qwsxhsacc2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

185.140.53.154:3343
185.140.53.154:3345

Unpacked files

SH256 hash:

85d9eafef3c686b7d35f81603480a8eba99e685819b328f50feee2a4f8c531c9

MD5 hash:

444f207288746f49a1786cbc6e3779f1

SHA1 hash:

fa367f429d993e699111f00500424708f0a954a5

Link:

https://www.unpac.me/results/2ff8e701-125f-4e18-92b7-14719dc0a2bc/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/2ff8e701-125f-4e18-92b7-14719dc0a2bc/

SH256 hash:

c8f9e80257eb603eab4f72905ab114c972046b677bf6761d9c54ab3da1193c9d

MD5 hash:

5e60d7567d7893a30af1737f4e791ea2

SHA1 hash:

8f9268874e93b1172dd6d806704ed52e611e3923

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/2ff8e701-125f-4e18-92b7-14719dc0a2bc/

Parent samples :

e7b7b828f1add6b862ccd69e5b0ecab7fc0926ed6e91f3f273c75a22edef2927
3ee995310cec67c9269847de4fc0964a05f9659adf24ca560419665ca6d4a428
220929e603d9a3c2f2f7fbfca0f3bb7056c9e8f7ff353d13b6d5371d7f450439

SH256 hash:

860174a1e8cf2ee6e85823abb68f04df5539b6c40c37e8c2de7c15783663b8f3

MD5 hash:

0b2457d6243631d4aaf912cc87b5287b

SHA1 hash:

8a80c76bd72576cb82b2f31fb64125adce6dbeed

Detections:

win_netwire_g1

Link:

https://www.unpac.me/results/2ff8e701-125f-4e18-92b7-14719dc0a2bc/

SH256 hash:

13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451

MD5 hash:

8b3a92a3409ae046bf3dc0753fcf8685

SHA1 hash:

4455c3efa2bf569f6d180063bb1e104a22581d61

Link:

https://www.unpac.me/results/2ff8e701-125f-4e18-92b7-14719dc0a2bc/

SH256 hash:

3ee995310cec67c9269847de4fc0964a05f9659adf24ca560419665ca6d4a428

MD5 hash:

e76372dfcf0db7e66038f949968d0706

SHA1 hash:

b1f92b8e91940a736be8a1908b9ed7ccc8912178

Link:

https://www.unpac.me/results/2ff8e701-125f-4e18-92b7-14719dc0a2bc/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ee995310cec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ee995310cec67c9269847de4fc0964a05f9659adf24ca560419665ca6d4a428

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	Malicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	malware_netwire_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	MAL_unspecified_Jan18_1_RID2F4A Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	netwire Create hunting rule
Author:	jeFF0Falltrades

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

Rule name:	win_netwire_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/294038/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample